Commit Graph

2907 Commits

Author SHA1 Message Date
Qiang Huang b15668b36d Fix all typos found by misspell
I use the same tool (https://github.com/client9/misspell)
as Daniel used a few days ago, don't why he missed these
typos at that time.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-10-29 14:14:42 +08:00
Michael Crosby 4c8007f34a Merge pull request #1153 from hqhq/remove_cloneflag_check
Remove unnecessary cloneflag validation
2016-10-28 16:00:52 -07:00
Qiang Huang e7abf30cb8 Merge pull request #1150 from WeiZhang555/forbid-duplicated-namespace
Detect and forbid duplicated namespace in spec
2016-10-27 10:23:16 +08:00
Qiang Huang f520eab891 Remove unnecessary cloneflag validation
config.cloneflag is not mandatory, when using `runc exec`,
config.cloneflag can be empty, and even then it won't be
`-1` but `0`.

So this validation is totally wrong and unneeded.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-10-27 09:34:20 +08:00
Mrunal Patel 4599e7074e Merge pull request #1148 from rhvgoyal/parent-mount-private
Make parent mount private before bind mounting rootfs
2016-10-26 17:30:37 +00:00
Zhang Wei a0f7977f0f Detect and forbid duplicated namespace in spec
When spec file contains duplicated namespaces, e.g.

specs: specs.Spec{
        Linux: &specs.Linux{
            Namespaces: []specs.Namespace{
                {
                    Type: "pid",
                },
                {
                    Type: "pid",
                    Path: "/proc/1/ns/pid",
                },
            },
        },
    }

runc should report malformed spec instead of using latest one by
default, because this spec could be quite confusing.

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2016-10-27 00:44:36 +08:00
Michael Crosby 6328410520 Merge pull request #1149 from cyphar/fix-sysctl-validation
validator: unbreak sysctl net.* validation
2016-10-26 09:06:41 -07:00
Qiang Huang a08733bd5d Merge pull request #1147 from datawolf/check-pid-file
Check pid file
2016-10-26 20:59:40 +08:00
Aleksa Sarai 1ab3c035d2
validator: actually test success
Previously we only tested failures, which causes us to miss issues where
setting sysctls would *always* fail.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-26 23:07:57 +11:00
Aleksa Sarai 2a94c3651b
validator: unbreak sysctl net.* validation
When changing this validation, the code actually allowing the validation
to pass was removed. This meant that any net.* sysctl would always fail
to validate.

Fixes: bc84f83344 ("fix docker/docker#27484")
Reported-by: Justin Cormack <justin.cormack@docker.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-26 22:58:51 +11:00
Qiang Huang 157a96a428 Merge pull request #977 from cyphar/nsenter-userns-ordering
nsenter: guarantee correct user namespace ordering
2016-10-26 16:45:15 +08:00
Vivek Goyal 6c147f8649 Make parent mount private before bind mounting rootfs
This reverts part of the commit eb0a144b5e

That commit introduced two issues.

- We need to make parent mount of rootfs private before bind mounting
  rootfs. Otherwise bind mounting root can propagate in other mount
  namespaces. (If parent mount is shared).

- It broke test TestRootfsPropagationSharedMount() on Fedora.

  On fedora /tmp is a mount point with "shared" propagation. I think
  you should be able to reproduce it on other distributions as well
  as long as you mount tmpfs on /tmp and make it "shared" propagation.

  Reason for failure is that pivot_root() fails. And it fails because
  kernel does following check.

  IS_MNT_SHARED(new_mnt->mnt_parent)

  Say /tmp/foo is new rootfs, we have bind mounted rootfs, so new_mnt
  is /tmp/foo, and new_mnt->mnt_parent is /tmp which is "shared" on
  fedora and above check fails.

So this change broke few things, it is a good idea to revert part of it.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2016-10-25 11:15:11 -04:00
Wang Long 2c74f86e23 Employ jq and state command to make sure that pid-file contains the right information
Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-10-25 15:48:38 +08:00
Aleksa Sarai d6b68e8a60
merge branch 'pr-1141'
LGTMs: @mrunalp @cyphar
Closes #1141
2016-10-25 16:39:53 +11:00
Aleksa Sarai ae078224fc
merge branch 'pr-1129'
LGTMs: @mrunalp @cyphar
Closes #1129
2016-10-25 16:38:01 +11:00
Qiang Huang 4ec570d060 Merge pull request #1138 from gaocegege/fix-config-validator
docker/docker#27484-check if sysctls are used in host network mode.
2016-10-25 11:08:51 +08:00
Aleksa Sarai c7ed2244f4
merge branch 'pr-1125'
LGTMs: @hqhq @mrunalp
Closes #1125
2016-10-25 10:05:28 +11:00
Mrunal Patel 35f55e6aa8 Merge pull request #1140 from rajasec/ps-bash-completions
Updating bash completion for ps command
2016-10-24 09:56:39 -07:00
Mrunal Patel fdfe45b22a Merge pull request #1139 from allencloud/fix-nit-in-stderr-log
fix nits in stderr log
2016-10-24 09:56:01 -07:00
Wang Long ba1c0b4fa3 check the arguments for `runc create`
This patch checks the arguments for command  `runc create`.
the `create` command requires exactly one argument

eg:

root@ubuntu:~# runc create -b /mycontainer/ a
root@ubuntu:~# runc list
ID          PID         STATUS      BUNDLE         CREATED
a           61637       created     /mycontainer   2016-10-20T08:21:20.169810942Z
root@ubuntu:~# runc create -b /mycontainer/ a b
runc: "create" requires exactly one argument
root@ubuntu:~# runc create -b /mycontainer/
runc: "create" requires exactly one argument

Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-10-24 11:09:06 +08:00
allencloud f550f04f20 fix nits in stderr log
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-10-23 22:43:53 +08:00
rajasec 4cfbd2555d Small typo in README
Signed-off-by: rajasec <rajasec79@gmail.com>

Fixing small typo in README

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-10-23 19:08:17 +05:30
rajasec b2a194f226 Updating bash completion for ps command
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-10-22 21:51:21 +05:30
Qiang Huang 850b9c0b50 Merge pull request #1132 from datawolf/add-integration-test-for-create
add test cases for create command
2016-10-22 17:46:33 +08:00
Qiang Huang d15661dc4d Merge pull request #1131 from datawolf/add-integration-test-for-list
add test cases for list command
2016-10-22 17:43:04 +08:00
Ce Gao 41c35810f2 add test cases about host ns
Signed-off-by: Ce Gao <ce.gao@outlook.com>
2016-10-22 11:31:15 +08:00
Ce Gao bc84f83344 fix docker/docker#27484
Signed-off-by: Ce Gao <ce.gao@outlook.com>
2016-10-22 11:22:52 +08:00
Alexander Morozov 1ab9d5e6f4 Merge pull request #845 from mrunalp/cp_tmpfs
Add support for copying up directories into tmpfs when a tmpfs is mounted over them
2016-10-21 13:47:16 -07:00
Mrunal Patel c4198ad9af Merge pull request #1134 from WeiZhang555/tiny-refactor
Some refactor and cleanup
2016-10-20 15:08:40 -07:00
Mrunal Patel fa5e0cdba2 Merge pull request #1136 from yongtang/27540-exec-state-proc-pid-stat
Fix issue in `GetProcessStartTime`
2016-10-20 15:08:01 -07:00
Yong Tang a83f5bac28 Fix issue in `GetProcessStartTime`
This fix tries to address the issue raised in docker:
https://github.com/docker/docker/issues/27540

The issue was that `GetProcessStartTime` use space `"  "`
to split the `/proc/[pid]/stat` and take the `22`th value.

However, the `2`th value is inside `(` and `)`, and could
contain space. The following are two examples:
```
ubuntu@ubuntu:~/runc$ cat /proc/90286/stat
90286 (bash) S 90271 90286 90286 34818 90286 4194560 1412 1130576 4 0 2 1 2334 438 20 0 1 0 3093098 20733952 823 18446744073709551615 1 1 0 0 0 0 0 3670020 1266777851 0 0 0 17 1 0 0 0 0 0 0 0 0 0 0 0 0 0
ubuntu@ubuntu:~/runc$ cat /proc/89653/stat
89653 (gunicorn: maste) S 89630 89653 89653 0 -1 4194560 29689 28896 0 3 146 32 76 19 20 0 1 0 2971844 52965376 3920 18446744073709551615 1 1 0 0 0 0 0 16781312 137447943 0 0 0 17 1 0 0 0 0 0 0 0 0 0 0 0 0 0
```

This fix fixes this issue by removing the prefix before `)`,
then finding the `20`th value (instead of `22`th value).

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-10-20 11:34:21 -07:00
Zhang Wei c179b0ffc7 Some refactor and cleanup
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2016-10-20 17:58:51 +08:00
Wang Long 5aef160c5a add test cases for list command
This patch add test `-q` option for list command.

Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-10-20 16:45:34 +08:00
Wang Long 596a4c397c add test cases for create command
This patch add test `--pid-file` option for create command.

Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-10-20 16:23:27 +08:00
Aleksa Sarai f8e6b5af5e
rootfs: make pivot_root not use a temporary directory
Namely, use an undocumented feature of pivot_root(2) where
pivot_root(".", ".") is actually a feature and allows you to make the
old_root be tied to your /proc/self/cwd in a way that makes unmounting
easy. Thanks a lot to the LXC developers which came up with this idea
first.

This is the first step of many to allowing runC to work with a
completely read-only rootfs.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-20 12:55:58 +11:00
Michael Crosby 2a5001c1bc Merge pull request #1124 from derekwaynecarr/apply-idempotent
Ignore error when starting transient unit that already exists
2016-10-19 13:52:10 -07:00
Derek Carr d223e2adae Ignore error when starting transient unit that already exists
Signed-off-by: Derek Carr <decarr@redhat.com>
2016-10-19 14:55:52 -04:00
Michael Crosby b827292ef7 Merge pull request #1121 from cyphar/fix-masked-paths-test
tests: mask: use test paths rather than /sys
2016-10-19 11:16:42 -07:00
Qiang Huang 19ab304367 Merge pull request #1091 from rajasec/ps-errors
ps error logging improvement
2016-10-19 11:11:41 +08:00
Aleksa Sarai 6e97f3ad69
tests: mask: use test paths rather than /sys
In certain circumstances (such as the rootless containers patchset), it
is not possible to test things using /sys/firmware. In addition, we
should be testing our own functionality rather than testing protection
against /sys attacks (for which the system might already have extra
protections).

Instead, just make some fake paths in the rootfs that we then mask.
Oddly I noticed that one of the errors changed when doing this (because
before we tested removing a file from /sys/firmware which is -EPERM). So
the old test was broken.

Fixes: 53179559a1 ("MaskPaths: support directory")
Fixes: #1068
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-19 05:59:50 +11:00
Andrew Vagin 88b4c4851e Merge pull request #1120 from cyphar/fix-gofmt
checkpoint: fix gofmt
2016-10-18 23:56:48 +05:00
Aleksa Sarai 38560a0316
checkpoint: fix gofmt
Fixes: a60040c62d ("Container must not checkpoint in created state")
Fixes: #1076
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-19 05:37:24 +11:00
Aleksa Sarai e3cd191acc
nsenter: un-split clone(cloneflags) for RHEL
Without this patch applied, RHEL's SELinux policies cause container
creation to not really work. Unfortunately this might be an issue for
rootless containers (opencontainers/runc#774) but we'll cross that
bridge when we come to it.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-18 18:26:27 +11:00
Aleksa Sarai bf77e5976a
merge branch 'pr-1118'
Closes: #1118
LGTMs: @cyphar @hqhq
2016-10-18 18:17:31 +11:00
Wang Long ed6c5c038c update the man for runc delete command
This patch also change the description in delete.go in order to
keep consistent with the mannual.

Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-10-18 12:18:10 +08:00
Mrunal Patel 0259c00a35 Merge pull request #1105 from keloyang/check-kill-signal-num
Add num check for kill command
2016-10-17 15:15:28 -07:00
Mrunal Patel 4161f2a63b Merge pull request #1115 from rajasec/filemode-panic
Fixing runc panic for missing file mode
2016-10-17 15:01:49 -07:00
Mrunal Patel 30a122d068 Merge pull request #1112 from rhatdan/romount
Add support for r/o mount labels
2016-10-17 14:45:32 -07:00
Michael Crosby 4dcc0466e2 Merge pull request #1074 from datawolf/multi-containers
start multi-containers with `runc start` command
2016-10-17 14:31:04 -07:00
Dan Walsh 6932807107 Add support for r/o mount labels
We need support for read/only mounts in SELinux to allow a bunch of
containers to share the same read/only image.  In order to do this
we need a new label which allows container processes to read/execute
all files but not write them.

Existing mount label is either shared write or private write.  This
label is shared read/execute.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-10-17 16:56:42 -04:00